Hashicorp Terraform Enterprise vulnerabilities

CVE-2025-13432 [MEDIUM] CWE-863 CVE-2025-13432: Terraform state versions can be created by a user with specific but insufficient permissions in a Te Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise versi

CVE-2023-3114 [HIGH] CWE-266 CVE-2023-3114: Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged workspace in the same organization that targeted an agent pool. This vulnerab

CVE-2022-25374 [HIGH] CWE-532 CVE-2022-25374: HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1.

CVE-2021-40862 [HIGH] CWE-200 CVE-2021-40862: HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1.

CVE-2021-3153 [MEDIUM] CWE-287 CVE-2021-3153: HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Fixed in v202103-1.

CVE-2020-15511 [MEDIUM] CVE-2020-15511: HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user reg HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when disabled, bypassing SAML enforcement. Fixed in v202007-1.